IT201800021550A1 - "Procedure for protecting against computer attacks on the vehicle and corresponding device" - Google Patents

Description

DESCRIPTION of the industrial invention entitled:

"Procedure for protecting against computer attacks on the vehicle and corresponding device"

TEXT OF THE DESCRIPTION

The present invention relates to techniques for protecting against computer attacks in a CAN (Controller Area Network) communication network of a vehicle comprising a CAN bus and a plurality of nodes associated with said CAN bus in a signal exchange relationship and associated at least in part with vehicle functions control unit, comprising the operations of

analyze the content of CAN messages in transit between nodes of said plurality of nodes to identify illegal CAN messages,

block said illegal messages,

said blocking operation including making said illegal messages invalid with respect to an integrity check performed by a CAN controller of said nodes, by inserting a sequence of corruption bits recognized as an error by said CAN controller, in particular by replacing part of the sequence original bit with a corruption, getting a corrupt message.

The CAN bus, adopted as a communication BUS in vehicles, is a serial and multi-master communication means, in which each master, also known as a node connected to the bus, is able to send, receive and resolve simultaneous access conflicts. being sent by multiple nodes.

A node 11 capable of communicating on the CAN bus 10 generally comprises, as shown in Figure 1a:

- a CAN transceiver, or CAN Transceiver, 12, associated through a transmission line TT and a reception line TR to the CAN bus 10 and configured to manage the electrical levels of the CAN bus (Physical level of the OSI model); - a CAN controller, or CAN Controller, 13, which is connected through respective CT transmission and CR reception lines to the CAN transceiver 12, and configured to manage the logic levels and serialization of the CAN 10 bus (Data link level of the OSI model) ;

- a microcontroller 14, which contains the logic for sending and receiving messages (management of the OSI levels higher than the Data link level). Figure 1A shows one of the possible implementation solutions which provides that the CAN controller 13 and the microcontroller 14 are placed in the same System-on-Chip 15, while the CAN transceiver is on a separate chip.

It is known to install a protection device 16 from cyber attacks between the CAN 13 controller and the CAN 12 transceiver, as shown in Figure 1. The protection device 16 processes, in particular analyzes, the messages in transit between the CAN 13 controller and the CAN transceiver 12 identifies the illegal or malicious messages, and carries out operations to block the injection of these malicious messages on the CAN bus in different use cases, which are described in Figures 2, 3, 4 and 5.

In particular, in figure 1B the protection device 16 receives CAN messages on the transmission line CT from the CAN controller 13 to the protection device 16, analyzes them and filters them, by means of the aforementioned locking operations, so that the line between the protection device 16 and CAN transceiver 12 is a filtered transmission line DT on which the CAN messages processed by the protection device 16 transit. Conversely, the CAN messages arrive from the transceiver 12 to the protection device on the reception line CR, which connects these modules, and are processed to the protection device 16 and transmitted on a filtered reception line DR to the CAN controller 12 by the protection device 16.

In particular in Figure 2, a case is shown in which given a vehicle network 20 which comprises a plurality of nodes 111 ... 11n, representative for example of vehicle control units, such as ECU (Electronic Control Unit), for example Engine Control Unit, but also control units for lighting, air conditioning, transmission control, ABS, suspension control, and other dedicated processor modules other vehicle services. In this plurality of nodes 111 ... 11n the node 111 is a protected node, equipped with a protection device 16, and the case is shown in which this protected node 111 is malicious and injects CAN messages, or CAN frames, malicious, i.e. not lawful , MF to the vehicle network 20. This use case is that in which, for example, the microcontroller 14 has been violated by means of other communication channels, such as a wireless channel, as can happen for nodes corresponding to Infotainment units / Telematics. In this case the presence of the protection device 16 prevents such messages MF from reaching the vehicular network 20, that is to say the other unprotected nodes 112… .11n.

Figure 3 shows the case in which the malicious CAN messages MF are injected from the vehicular network 20, ie from one of the nodes without a protection device, that is, unprotected nodes, 112… .11n, in particular node 112. This figure represents the use case in which any node of the vehicle network 20 has been violated. In this case, the presence of the protection device 16 prevents messages not pertinent to the respective protected CAN node 111 on which it is installed from being processed by the microcontroller 14.

Figure 4 shows the case in which the protection device 16 is used inside a CAN gateway 18. This configuration makes it possible to isolate two distinct CAN networks 20A and 20B, with respective nodes 11A1 ... 11An and 11B1 ... 11Bn, in generally unprotected, to guarantee the filtering of CAN frames in transit from and between one network and another. In the specific case of Figure 4, the protection device 16 blocks the illegal messages MF transmitted by the network 20A and prevents their diffusion on the network 20B. It is clear that the protection device 16 can also block an illegal CAN message MF transmitted from a node of the network 20B to the network 20A through the gateway 18.

US patent application US2015 / 191136 A1 describes a protection device that operates in the CAN bus of motor vehicles which provides for blocking messages in transit whose parameters verify illegal message criteria. The block is operated by making invalid with respect to a validity check performed by the CAN controller, i.e. by corrupting the illegal messages during their transmission between the CAN transceiver and the CAN controller, by inserting a sequence of bits recognized as an error by the CAN controller , in particular stuffing bit, or filling bit, in particular by inserting a Stuff error through a sequence that does not respect the bit stuffing rule foreseen by the CAN protocol which determines by the CAN controller to ignore such illegal messages and not to propagate such illegal messages on the CAN network. However, the manipulation of the stuff bit number can generate a temporal misalignment between the corrupted message (sent on the bus) and the “Error-Frame” message generated by the CAN node that receives the corrupted message.

The present invention has the aim of obtaining a monitoring procedure which allows to make illegal messages invalid, by carrying out a correct alignment.

According to the present invention, this object is achieved thanks to a protection method as well as a corresponding protection device having the characteristics referred to specifically in the following claims.

The invention will be described with reference to the attached drawings, provided purely by way of non-limiting example, in which:

Figures 1A and 1B, 2, 3, 4 have already been previously described;

Figure 5 represents a basic diagram of the protection device implementing the procedure described here;

Figure 6 is a diagram which schematically represents CAN messages processed by the protection device;

Figures 7A, 7B, 7C schematically represent the protection device described here in three operating phases of the method;

Figure 8 is a flow chart representing operations of the process described here.

Figure 5 shows a basic block diagram of a protection device 26 according to the invention. This protection device 26 is shown arranged between a CAN controller 13 and a CAN transceiver 12 in a protected node of a CAN 10 network, as for example in the configuration of Figure 3 of node 111. The solution described here is independent of the version of CAN on to which it is applied (CAN2.0 and CAN-FD, therefore) and for the sake of simplicity only the scenario relating to the CAN2.0 version is described

The protection device 26 comprises a firewall module 261, which generally receives a sequence of CAN messages M sent on the reception line CR and on the transmission line CT and sends a filtered sequence of CAN messages on the filtered reception and transmission lines DR DT. M messages can be, as mentioned, illegal MF messages. The filtered sequence, as better described below, can contain the CAN M messages themselves, can contain corrupt MF 'messages obtained from illegal MF messages or can apply the blocking through corruption (B2 mode described below) in total mode to M messages lawful and unlawful MF.

Therefore, this firewall module 261 is configured to: - extract the information content of a CAN M message transiting on the transmission lines CT or reception CR;

- perform the analysis of this information content. This for example comprises comparing field values of the transiting CAN message M with a set of firewall rules R stored in a rules storage module 262 which represents a rules database, to which the firewall module 261 has at least read access;

- make the CAN M message in transit invalid, if identified on the basis of the content as an illegal CAN message MF. This occurs by corrupting it during transmission from the protection device 26 in accordance with blocking modes, for example B1 and B2, better detailed below, in the event that the message M analyzed is identified as an illegal message MF, while this message illegal MF is still in transit on the CAN bus;

As said, the protection device 26 further comprises a rules database 262, which is the database containing rules R applied by the firewall 261 to the analyzed CAN messages, ie in transit, to identify illegal messages MF. The CAN messages M in transit, arriving from the transmission line CT and from the reception line CR, can be subjected to the same set of rules R in the rules database 262 or this rules database 262 can contain two sets of rules applied independently to CR reception and CT transmission.

The protection device 26 also comprises an operations storage module 263, i.e. a memory area dedicated to storing a register, or "log", of operations B carried out by the protection device 26 on the CAN bus 10. The protection device 26 accesses this module 263 to write such operations B carried out by the protection device on the CAN bus 10. This register B includes statistics relating to the activity of the firewall 261, such as quantity of illegal frames MF corrupted on the transmission line CT, quantity of frames corrupt on the reception line CR, etc ...) and which can be consulted through a configuration interface 264 which can read access to the operations storage module 263 as indicated in figure 5.

The protection device 26 then comprises, as mentioned, a configuration interface 264 for defining the filtering rules R applied by the firewall 261 and stored in the module 262. In particular, this configuration interface can receive a filtering configuration, that is the rules R , of the protection device 26 from an external communication interface not shown in the figure. This configuration interface 264 has a data exchange relationship with the rules database 262, in which it writes for example the set of rules R for filtering through a firewall and the operations storage module 263, as said for example to read Firewall Operation Log Data 261.

Associated with the 264 configuration interface is an authentication module 265, which is configured to verify the authenticity of the filtering configuration received from the external communication interface, for example through digital signature and data encryption mechanisms.

The protection device 26 is generally configured to implement a filter that blocks malicious and irrelevant CAN messages, allowing only legitimate data to pass.

The distinction between lawful and illegal messages can be configured based on the intended use of the protection device 26 and defined through the following distinctive parameters C:

C1: CAN message identifier;

C2: length of the CAN message;

C3: transmission times, for example a frequency in the case of a periodic message;

C4: content of the message. This parameter is used only for diagnostic messages;

C5: vehicle status. This parameter is used only for diagnostic messages;

C6: percentage of bus usage in the unit of time.

The protection device 26 is configured to apply the set of rules R in general to non-diagnostic and diagnostic messages, applying further and specific filtering rules in this set if a diagnostic frame is recognized in transit. protection 26 is also configured, in particular through the firewall module 261, to operate two message blocking modes:

a selective blocking mode B1: all and only illegal CAN MF messages are blocked

a total block mode B2: all CAN messages are blocked, both lawful M and non-lawful MF.

The total block mode B2 can be configured in the following ways of use:

first mode of use BC1, in the total blocking mode B2 is enabled or disabled, second mode of use BC2, in which if the total blocking mode B2 is enabled, it is possible to define the type of violation in the protection device 26 and the number of violations, for each of the specified violation types, at which total blocking mode B2 must be activated, as well as the time it must remain active. In the second way of use B2, one or more deactivation parameters are therefore defined in a list including type of violation, violation number, deactivation time;

The total block mode B2 allows you to virtually disconnect an i-th node 11i or a network (e.g. 20B in figure 4) from the CAN 10 bus for an arbitrary period of time which, depending on the configuration, can also be almost perpetual, thus completely isolating the node 11i or network or restoring the communication capabilities of the node 11i at the end of the set time period.

The mechanism by which the protection device 26 blocks an illegal CAN message implements a zero-delay mode. This makes it advantageous to use the protection device 26 in all applications in which the propagation delays introduced by additional filtering elements, such as the protection device 26, must be minimized.

As mentioned, the zero-delay message filtering mode, implemented by the protection device 26, provides for exploiting the integrity control mechanisms present in the CAN bus, making invalid, i.e. corrupting, the illegal CAN message MF during transmission on the CAN bus, so that the receiving nodes ignore the aforementioned illegal message MF already at the digital level of the CAN 13 controller, i.e. the Data link level, where the integrity check of the message is carried out, without propagating the message to the microcontroller 14 (and to the higher levels of the OSI stack). Therefore, this zero delay mode is opposed to that in which the filter element receives analysis-retransmits, as is typical behavior of gateways, since even in the ideal condition of null analysis times, the filter element must still wait for the message terms before being able to analyze it and, if it is lawful and must be retransmitted, participate again in the contention and arbitration phase of the bus (after the analysis phase), introducing an additional delay equal to at least the duration of the retransmission of the message itself. Furthermore, since it is necessary for the filter element to win the contest of the CAN bus in order to proceed with the retransmission of the previously analyzed message, this additional delay can be significantly longer, with an upper limit, due to the characteristics of the CAN protocol, theoretically infinite: case of transmission of messages with higher priority by other nodes in the network.

The zero-delay mode implemented by the protection device 26, on the other hand, makes it possible to inspect a CAN message in transit, i.e. during transmission or reception by the node on which it is installed, and therefore allows:

- to act promptly by corrupting the illegal message even before its transmission or reception ends

- let the message pass unaltered if lawful, thus not impacting its propagation time.

The zero delay CAN frame filtering procedure, by means of the first selective blocking mode B1 or second total blocking mode B2, implemented by the protection device 26, specifically includes two operations which determine that the propagation time of the CAN message is not altered and that the illegal message is deemed, by the malicious node, to be sent successfully.

A first operation is an F1 blocking operation of the message in transit to the protection device 26 by corrupting the bit sequence of the CAN message itself.

A second operation is an obscuring F2 operation to the malicious CAN node which transmits the illegitimate CAN MF message intercepted by the protection device 26 of the corruption of this illegal CAN message transmitted by it, and therefore of its consequent blocking by the controls. integrity in the CAN controllers of the other CAN nodes.

As a consequence of these modes of blocking B1 or B2 through corruption F1 and obscuring F2, the protection device 26 and the protection procedure implemented by this device 26 make it possible to guarantee the simultaneity between the end of the transit of the illegal CAN message, and corrupted by the F1 operation by the protection device 26, and the end of the transmission of an error message in response to this corrupt illegitimate CAN message, i.e. as a consequence deriving from the detection of the error condition introduced by the protection device 26 in the malicious CAN message, in order to corrupt it, by the receiving CAN node (s), 111 ... 11n, other than the node that includes the protection device 26 which applies the blocking operation F1 to the illegal message MF and other than the CAN node which injects the MF malicious message.

This simultaneity represents a fundamental aspect in order to prevent the triggering of non-aligned overlaps in sending messages that would lead to continuous data corruption on the CAN 10 bus, with overhead on bus occupation, and, lastly, to a communication interruption. .

The protection procedure implemented by the protection device through the F1 corruption and F2 obscuring operations exploits the particular structure of the Data and Error type messages of the CAN protocol; in particular, the data type message is structured with S sections of contiguous bits listed below in table 1:

Table 1

The structure of the S sections of the Data type message is naturally known per se, in the CAN bus standard.

Error messages include Active and Passive messages structured as in Table 2 for Active Error:

Table 2

while they are structured as in Table 3 for Passive Error:

Table 3

In Figure 6, by way of example, a case referred to the Active Error is shown. MF indicates the CAN message not permitted in transmission, while MF 'indicates the corrupt message containing an EM error message in the queue, a CAN message of type Error in Response, from one of the receiving nodes, after the control integrity of its CAN controller detects corruption.

With bt a bit time axis is also indicated and with NV a signal written by the protection device 26 in the illegal CAN message MF. With Si is indicated the internal signal generated by the protection device. In particular, the signal Si is the signal DT in the protection device 26 in the case of a message being transmitted, or alternatively it is the signal DR of the protection device 26 in the case of a message being received.

In order to guarantee the simultaneity of the end of transmission of the illegal CAN message MF, of the Data type, corrupted by the protection device 26, and the related EM message of the Response error type, issued by any of the receiving nodes 11, or so that the ITM fields (S8 field for the illegal MF message and SE3 field for the EM error message) of these messages are aligned and overlapped, it is necessary to insert an error condition at an exact point, i.e. at a specific bit value time bt of the illegal message MF. This is done in particular by replacing part of the original bit sequence with one of corruption, resulting in a corrupted message.

The exact point in which to insert the corruption sequence of 6 consecutive bits (NV) is uniquely determined by the format of the packet and the rules of the CAN protocol and requires the use of resources / logic modules dedicated to its computation and computation of the polarity of the bits constituting said corruption sequence NV.

In particular, to calculate the starting point of the sequence of 6 consecutive bits inside the CRC field and the polarity (dominant or recessive) of the bits that compose it, the protection device 26, in particular the firewall module 261, is equipped with one or more modules / logic elements suitable for or configured for:

- dynamically calculate (at runtime) the value of the CRC (Cyclic Redundancy Check) S5 field in order to predict the number of stuff bits that will be present within the CRC field;

- analyzing the content of the CRC field reconstructed in the previous step, also taking into account the bits that precede the CRC, in order to evaluate the number of stuff bits that will be present in the CRC field, that is, in the S5 field of the message M, MF. Since the CRC field is data-dependent (and therefore varies at runtime as does the data), the exact insertion point of the corruption sequence is also determined dynamically. With reference to Figure 6, the exact point of insertion in the corruption sequence is the instant btj-5, while the instant in which the receiving node detects the condition of "Stuff error" (SPE) is the instant btj. With btj-6 the last bit immediately preceding the first bit of the corruption sequence is indicated, in order to emphasize that the corruption sequence must have opposite polarity to this bit.

Because of that:

- the CAN node 11 that receives the corrupt MF message responds with an EM error message (fields SE1, SE2, SE3 as in the example an Active Error is shown, otherwise the fields SP1, SP2, SP3 of the Passive Error are used ) starting from the bit time btj + 1 immediately following that btj at the point in which the Stuff error SPE condition occurs. More specifically, as shown in Figure 6, the error message EM is written starting from bit time btj + 1. In the case of multiple receiving nodes, each receiving node 11i transmits a CAN EM error message whose error frames are exactly superimposed on those of any other CAN EM error message sent by any other receiving node;

- the term of the error message (or overlapping messages), the SE3 ITM field, which contains a zone of recessive bits, specifically 3 bits, which acts as a separator between messages, is temporally aligned with the corresponding ITM field, S8, of the message unlawful MF, which is simultaneously retransmitted unaltered to the sending malicious node.

Even with the same length of the various fields of the Data frame of a CAN message, the length of the CAN message can vary according to their content, due to the possible insertion of stuffing or filling bits, therefore the protection device 26 is configured to dynamically calculate, CAN message by CAN message, the btj-5 insertion point of the CRC field in which it is necessary to insert the NV sequence of 6 consecutive bits with the same polarity, in case the MF frame is to be corrupted . The protection device 26 is configured to dynamically calculate, CAN message by CAN message, both the insertion point btj-5 of the CRC field in which it is necessary to insert the NV sequence of 6 consecutive bits with the same polarity, and the polarity of the bits of said sequence NV, which must be opposite to that of bit btj-6, in case the frame MF is to be corrupted.

As mentioned, the other fundamental operation performed by the protection device 26 is the obscuring F2 to the malicious CAN node which transmits the illegal CAN message intercepted by the protection device 26 of the corruption of this illegal CAN message transmitted by itself, and therefore of its consequent blocking by the integrity checks in the CAN controllers of the other CAN nodes.

In the event that the protection device 26 corrupts an illegal frame MF, if the protection device 26 does not hide the corruption, (i.e. the sequence NV inserted in an insertion point btj-5 of the CRC S5 field of the illegal frame MF and which determines the condition of Stuff error SPE at point btj), the sending CAN node of the malevolent frame MF would reveal this condition of Stuff error SPE and, as a consequence, would proceed to interrupt the transmission of the malevolent frame MF, to transmit a frame EM Error type (misaligned with respect to all other Error frames sent by all other receiving nodes) and would subsequently attempt to retransmit the same malicious frame.

The operation of obscuring F2 of the process of corruption of the message in transit is managed as shown in Figure 7, where the highlighted elements "CAN Controller" 13 and "CAN Transceiver" 12 are, for example, those belonging to the protected CAN node 111 on which it is the protection device 26 is installed and this protected CAN node transmits a malicious message MF (case in which the host of the CAN node on which the protection device 26 is installed has been violated). In particular, since each bit of the CAN MF message transmitted on the transmission line CT is also reread on the reception line CR, the protection device 26 operates as follows, carrying out the corruption operation, after which, as shown in Figure 7A, the malevolent frame MF arriving at device 26 on the transmission line CT, of the malevolent frame, has been identified in two phases:

in a first phase, represented in figure 7B, from the host side, i.e. towards the malicious node, (CT transmission lines and DR filtered reception lines), the illegal CAN message MF is replicated without any alteration of the bitstream on the filtered reception line DR, while on the CAN bus side downstream of the transceiver 12, i.e. towards non-malicious receiving nodes, i.e. on the filtered transmission line DT and on the non-filtered reception line CR, the illegal message MF is appropriately corrupted by modifying its bitstream, as a corrupt message MF ';

in a second phase, represented in figure 7C, from the host side, i.e. towards the malicious node, the protection device 26 emulates the CAN bus, signaling the correct reception of the message by the other nodes 112 ... 11n of the network 20, by means of a message correct OR reception on the DR line (Figure 7C), in particular by sending the dominant bit during the bit time ACK Slot; at the same time, on the CAN bus side, the protection device 26 blocks the error signaling, via Error Frame EM provided by the CAN protocol, on the CR line by the other nodes 11 of the network that have received the corrupt message MF '.

The operation of obscuring F2 of the process of corruption of the message in transit also applies to the case of an illegal message being received, or transmitted by a CAN node 111, other than the protected CAN node 111 on which the protection device 26 is installed, in a manner similar to what is expressed above and by what is reported in figures 7A, 7B and 7C, in accordance with the characteristics of the CAN protocol in the event of a message being received. In particular, the MF message to be replicated to the malicious node, which should be transmitted by duality on DT in this case, is not necessary, i.e. no replication action is adopted, but a correct reception OR message is sufficient as evidence of correct reception of the malicious message (which this time is on CAN bus 10).

Therefore, the method of protection against computer attacks in a CAN (Controller Area Network) communication network 20 of a vehicle comprising a CAN bus 10 and a plurality of nodes 11 associated with said CAN bus 10 in signal exchange relationship and associated at least partly to the vehicle function control unit, comprising the operations of analyzing the content of CAN messages M in transit between nodes of said plurality of nodes 11 to identify illegal CAN messages MF, and blocking said messages through the modes B1, B2 not lawful MF, where this blocking operation through the modes B1, B2 comprises making invalid the non lawful messages MF, i.e. corrupting F1, with respect to an integrity check performed by a CAN controller 13, of said nodes 11, by entering F1 a sequence of bits NV of corruption recognized as an error by said CAN controller 13, obtaining a corrupt message MF ', specifically foresees to insert F1 said sequence of bits NV of corruption in an S5 integrity check field, in particular a CRC field, of the illegal CAN message MF at a bit time btj-5 whose value is such as to temporally align a separator field, i.e. ITM, of the illegal message with a corresponding separator field of an error message EM generated by a node of the network 20 which receives said illegal message MF comprising said corruption sequence NV. Note that this inserting operation is performed by replacing part of the original bit sequence, in particular of the integrity check field S5, with a corruption one, the bit sequence NV, in particular this bit sequence NV having polarity opposite to the polarity of the bit at time btj-6 preceding bit at insertion point btj-5, resulting in a corrupt or illegal message MF.

The process described further comprises of

extracting an information content of the message M in transit during transmission;

- perform the analysis of said information content called information content based on a set of firewall rules (R),

- make the message M F1 invalid if said analysis of the information content identifies the message (M) analyzed as an illegal message MF obtaining a corrupt message MF '.

The described procedure then comprises selecting whether to apply the operation of making F1 invalid the non-lawful message MF at least according to a selective blocking mode B1 to all and only the non-lawful CAN MF messages or according to a total blocking mode B2 to all CAN messages, legal M and illegal MF.

The procedure described further comprises that said operation of making the illegal message MF invalid comprises an operation of obscuring F2 to the CAN node or CAN network which transmits the illegal MF CAN message, said operation of insertion of bits NV of corruption, by means of the steps of

replicate said unlawful CAN message MF without any alteration, in particular without sequence NV, towards the CAN node 11 which transmits said illicit message MF, or do not take any replication action towards the CAN 10 network which transmits said illicit message MF,

emulate the CAN 10 bus or the CAN 11 node for the case of transmission of the illegal message by CAN 11 or CAN 10 bus, respectively signaling the correct reception of the illegal message MF by a receiving node or receiving nodes and at the same time blocking error messages EM associated with said illegal message MF to said CAN node or CAN network that transmits said illegal message.

These operations are implemented by the protection device 26, in particular by its firewall module 261 on the basis of the rules R stored in the storage module 262.

The protection device 26 for this purpose can be in variant forms and is arranged between a CAN controller 13 and a CAN transceiver 12 of a CAN node, which is thus a protected node, even if it should be the same malicious node.

The protection device 26 can be in further variant forms arranged interposed between two CAN networks 20A, 20B in association with a gateway 18.

The protection device 26 has, as mentioned, a configuration interface, the interface 264 which allows the definition of firewall rules R through the following lists and parameters:

- “white-list”, ie list of enabled or admitted elements, for the admitted messages (for each direction) to be applied in certain vehicle conditions. Each item in this list includes the following fields:

a) identification;

b) length;

c) transmission parameters and violation threshold;

d) Type of message (diagnostic / non-diagnostic) - "white-list of diagnostic services" allowed (applicable only to diagnostic messages); - “black-list, ie list of non-enabled or non-allowed elements, of non-allowed diagnostic services” (applicable only to diagnostic messages) to be applied in certain vehicle conditions;

- "white / black list violation thresholds" to activate the total block mode;

- “bus occupation thresholds” to activate the total block mode;

"Vehicle condition detection information" to determine which status (eg current speed greater than 5km / h) to be used in conjunction with the "black-list of diagnostic services" and the "white list" of allowed messages.

The R firewall rules set using the above parameters and lists are stored in the storage module 262 tables and can be updated by adding new R firewall rules or by overwriting and / or deleting the existing R firewall rules. 26 in the storage module 263 stores all the statistical information B relating to the activity of the firewall (quantity of illegal frames corrupted on the DT line, quantity of illegal frames corrupted on the DR line, etc ...) and which can be consulted through the configuration interface 264 which can access module 263 as indicated in figure 5.

The application of the firewall rules R defined and contained in the storage module 262 is implemented for each CAN M message of the Data frame or Remote frame type. A schematic representation of the filtering process is shown in Figure 8.

In accordance with the flow chart of Figure 8, an exemplary embodiment of the protection procedure 100 performed by the protection device 26 is described.

After a start 105 of the procedure, in a step 110 from the Arbitration S2 field of the CAN message in transit M the firewall 261 extracts a message identifier (ID 11/29 bit), which is compared with the relative field of the "white-list" to the vehicle condition set. If this message identifier is present, proceed with the next step 120, otherwise the message M is considered illegal MF and proceed with step 180.

At step 120 from the Control S3 field of the CAN message in transit M the firewall 261 extracts a message length (4-bit DLC), which is compared with the relative field of the "white-list". If the length is correct, proceed with the next step 130, otherwise the CAN M message is considered illegal message MF and proceed with step 180.

At step 130 the time elapsed since the last reception of the same message is measured, based on the identifier, and is compared with the configured timing thresholds (for example a time interval defined between a maximum time Tmax and a minimum Tmin, or through a period etc, also in relation to the history of the violations of the timing rules. If the time elapsed since the last reception of the same message falls within an allowed interval or is not within the allowed interval, but the number of violations detected is lower than a defined threshold value (parameters all extracted from the "white list", such as the time interval ones) proceed with the next step 135 otherwise the CAN M message is considered illegal message MF and proceed with step 180.

In this step 135 it is checked whether the message M is of the diagnostic type. If not, one passes to a step 160 for updating the vehicle status. If so, the value of the diagnostic service is extracted from the Data field in a step 140 and checked that it is present in the "white-list of diagnostic services" stored in module 262. If present, proceed with the next step 150 otherwise the CAN message M is considered illegal message MF and one proceeds with step 180.

Subsequently, in step 150 the value of the diagnostic service is extracted from the Data S4 field and checked that it is not present in the “black-list of diagnostic services” for the vehicle condition set (see step 160). If the message M is present, it is considered illegal message MF passing to step 180, otherwise it is legal and one moves on to step 160 for updating the vehicle status.

In this step 160, using "vehicle condition detection information" together with the Arbitration and Date fields of the M message, the internal information representing the condition of the vehicle is updated. Specifically, step 160 checks whether it is necessary to update the vehicle status. The discriminating factor for assessing whether the vehicle status must be updated is contained in the set of R rules. The verification is based on the Arbitration and Date fields of the frame in transit.

Then, in a step 170, the bus occupation value is updated from the total length of the message and compared with the "bus occupation thresholds". If the message does not respect these thresholds, the CAN message M is considered illegal message MF and one proceeds with step 180. Conversely, procedure 100 in a step 195 ends.

Therefore, in general, the operations of the firewall 261 of extracting the information content of a CAN M message transiting on the transmission lines CT or reception CR and performing the analysis of this information content, comprise one or more of the operations 110, 120, 130 , 135, 140, 150, 170.

In step 180, since the CAN message M is considered illegal message MF, it is determined by combining the type of violation detected with the "white / black list violations thresholds" it is determined whether to activate the blocking mode B1 or B2.

In step 190, the information of the validity of the message and of the blocking mode B1 or B2 to be implemented are transmitted to the firewall block 261 which carries out the operations required by the blocking mode, i.e. total blocking (B1) or blocking operation through corruption F1 and blackout F2 (B2).

The protection device 26 provides to operate both with single-frame diagnostic messages and with multi-frame messages. In the case of multi-frame diagnostic messages, if the first frame of the message chain is recognized as malicious, the protection device 26 is able to block this message and all subsequent messages that make up the multi-frame message, through the step 135. Consequently, there are 26 counters inside the protection device to keep track of how many CAN frames have transited on the CAN bus, and to determine when to terminate the corruption process for a specific diagnostic service.

Therefore, from what has been described above, the advantages of the proposed solution are clear.

The described device and procedure allow to avoid the temporal misalignment between the corrupt message (sent on the bus) and the “Error-Frame” message generated by the CAN node that receives the corrupted message.

The device and the procedure described also allow, through an appropriate obfuscation process, to mask the corruption operation to the CAN node that sent the illegal frame. This avoids automatic retransmission, with consequent occupation of the CAN bus, by the malicious CAN node.

The device and procedure described make it possible not to introduce any propagation delay of the CAN messages, guaranteeing their use transparently by the CAN nodes involved.

The device and the procedure described also allow operating with diagnostic CAN messages. Thanks to a dedicated control logic, it is possible to recognize a sequence of multi-frame diagnostic messages and invalidate, if the diagnostic service is identified as malicious, the entire chain of messages.

Claims (11)

CLAIMS 1. A method of protecting against computer attacks in a CAN (Controller Area Network) communication network (20) of a vehicle comprising a CAN bus (10) and a plurality of nodes (11) associated with said CAN bus (10) in relation signal exchange and associated at least in part with vehicle function control units, comprising the operations of analyze the content of CAN messages (M) in transit between nodes of said plurality of nodes (11) to identify illegal CAN messages (MF), blocking (B1, B2) said illegal messages (MF), said blocking operation (B1, B2) including making said illegal messages (MF) invalid (F1, F2) with respect to an integrity check performed by a controller CAN (13) of said nodes (11), by inserting (F1) a sequence of bits (NV) of corruption recognized as an error by said CAN controller (13), obtaining a corrupt message (MF '), characterized by the fact of insert (F1) said sequence of bits (NV) of corruption in an integrity check field (S5), in particular a CRC field, of the CAN illegal message (MF) at a bit time (btj-5) whose value is such as to temporally align a separator field (ITM) of the illegal message with a corresponding separator field of an error message (EM) generated by a network node (20) that receives said illegal message (MF) comprising said sequence of corruption (NV). 2. Process according to claim 1, characterized in that it comprises of extracting an information content of the message (M) in transit during transmission; - perform the analysis of said information content called information content based on a set of firewall rules (R), - make invalid (F1, F2, 190) said message (M) if said analysis of the information content identifies the message (M) analyzed as an illegal message (MF) obtaining a corrupt message (MF '). 3. Process according to claim 1, characterized by the fact of selecting (180) whether to apply said operation of making invalid (F1, F2, 190) the illegal message (MF) at least according to a selective blocking mode (B1) to all and only the CAN (MF) messages that are not lawful or according to a total block mode (B2) to all CAN messages (M, MF). Method according to one of claims 1 to 3, characterized in that said operation of making invalid (F1, F2, 190) said illegal message (MF) comprises an operation of obscuring (F2) to the CAN node (11 ) or CAN network (10) that transmits the illegal CAN (MF) message, said operation of insertion of a sequence of bits (NV) of corruption, through the steps of replicate said illicit CAN message (MF) without any alteration towards the CAN node (11) which transmits said illicit message (MF) or do not take any replication action towards the CAN network (10) which transmits said illicit message (MF) ), emulate the CAN bus (10) or the CAN node (11) for the case of transmission of the illegal message by CAN (11) or CAN network (10), respectively signaling the correct reception of the illegal message (MF) from part of a receiving node or receiving nodes and at the same time blocking error messages (EM) associated with said illegal message (MF) to said CAN node (11) or CAN network (10) which transmits said illegal message (MF). Method according to one of claims 2 to 4, characterized in that said set of firewall rules (R) comprises one or more of the following lists and parameters: - white-list for the messages allowed to be applied in certain vehicle conditions; - white-list of admitted diagnostic services; - black-list of diagnostic services not allowed to be applied under certain vehicle conditions; - thresholds for violations of white lists and black lists to activate the total blocking mode (B2); - CAN bus occupation thresholds (10) to activate the total block mode (B2); - vehicle condition detection information indicative of the vehicle conditions to be used to evaluate said black-list of diagnostic services and said “white list” of admitted messages. 6. Protection method according to claim 5, characterized in that it comprises one or more of the following operations for analyzing the information content of the CAN (M) message - extracting (110) a message identifier and comparing it with a corresponding field of a white-list for a given condition of the vehicle; - extract (120) a message length that is compared with a corresponding field of a white list, with the relative field of the white-list - measured (130) of a time elapsed since the last reception of the same message and comparison with timing thresholds a) verifies, if the message is of a diagnostic type, the presence in a white-list of diagnostic services b) extraction, if the message is of a diagnostic type, of the value of the diagnostic service and verification of the presence in a "black-list of diagnostic services" for a given condition of the vehicle. - verification of a bus occupancy value and comparison with the bus occupancy thresholds. 7. Protection method according to one of the preceding claims, characterized in that the last bit (btj-6) immediately preceding the first bit (btj-5) of the corruption sequence (NV) has opposite polarity with respect to said first bit ( btj-5) of the corruption sequence (NV). 8. Device for protecting against cyber attacks in a CAN (Controller Area Network) communication network (20) of a vehicle comprising a CAN bus (10) and a plurality of nodes (11) associated with said CAN bus (10) in relation signal exchange and associated at least in part with vehicle function control units, characterized in that it is configured to operate according to the method according to one or more of claims 1 to 7. 9. Protection device according to claim 8, characterized in that it comprises a firewall module (261) configured to perform at least said security operations analyze the content of CAN (M) messages and render invalid (F1, F2) illegal messages (MF) with respect to an integrity check performed by a CAN controller (13) of said nodes (11), and a storage module for storing said firewall rule set (R). Protection device according to claim 8 or 9, characterized in that said protection device (26) is arranged between a CAN controller (13) and a CAN transceiver (12) of a CAN node. 11. Protective device according to claim 8 or 9, characterized in that said protection device (26) is placed between two CAN networks (20A, 20B) in association with a gateway (18).